Book Image

Python Digital Forensics Cookbook

By : Chapin Bryce, Preston Miller

Book Image

Python Digital Forensics Cookbook

By: Chapin Bryce, Preston Miller

Overview of this book

Technology plays an increasingly large role in our daily lives and shows no sign of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations. Throughout the Python Digital Forensics Cookbook, recipes include topics such as working with forensic evidence containers, parsing mobile and desktop operating system artifacts, extracting embedded metadata from documents and executables, and identifying indicators of compromise. You will also learn to integrate scripts with Application Program Interfaces (APIs) such as VirusTotal and PassiveTotal, and tools such as Axiom, Cellebrite, and EnCase. By the end of the book, you will have a sound understanding of Python and how you can use it to process artifacts in your investigations.

Preface

What this book covers

What you need for this book

Who this book is for

Reader feedback

Customer support

Free Chapter

Essential Scripting and File Information Recipes

Essential Scripting and File Information Recipes

Handling arguments like an adult

Iterating over loose files

Recording file attributes

Copying files, attributes, and timestamps

Hashing files and data streams

Keeping track with a progress bar

Logging results

Multiple hands make light work

Creating Artifact Report Recipes

Creating Artifact Report Recipes

Using HTML templates

Creating a paper trail

Working with CSVs

Visualizing events with Excel

Auditing your work

A Deep Dive into Mobile Forensic Recipes

A Deep Dive into Mobile Forensic Recipes

Parsing PLIST files

Handling SQLite databases

Identifying gaps in SQLite databases

Processing iTunes backups

Putting Wi-Fi on the map

Digging deep to recover messages

Extracting Embedded Metadata Recipes

Extracting Embedded Metadata Recipes

Extracting audio and video metadata

The big picture

Mining for PDF metadata

Reviewing executable metadata

Reading office document metadata

Integrating our metadata extractor with EnCase

Networking and Indicators of Compromise Recipes

Networking and Indicators of Compromise Recipes

Getting a jump start with IEF

Coming into contact with IEF

Going hunting for viruses

Gathering intel

Totally passive

Reading Emails and Taking Names Recipes

Reading Emails and Taking Names Recipes

Parsing EML files

Viewing MSG files

Ordering Takeout

What’s in the box?!

Parsing PST and OST mailboxes

Log-Based Artifact Recipes

Log-Based Artifact Recipes

Parsing IIS web logs with RegEx

Going spelunking

Interpreting the daily.out log

Adding daily.out parsing to Axiom

Scanning for indicators with YARA

Working with Forensic Evidence Container Recipes

Working with Forensic Evidence Container Recipes

Opening acquisitions

Gathering acquisition and media information

Iterating through files

Processing files within the container

Searching for hashes

Exploring Windows Forensic Artifacts Recipes - Part I

Exploring Windows Forensic Artifacts Recipes - Part I

One man's trash is a forensic examiner's treasure

A sticky situation

Reading the registry

Gathering user activity

The missing link

Searching high and low

Exploring Windows Forensic Artifacts Recipes - Part II

Exploring Windows Forensic Artifacts Recipes - Part II

Parsing prefetch files

A series of fortunate events

Indexing internet history

Shadow of a former self

Dissecting the SRUM database

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Introduction

Technology has come a long way and, with it, the extent to which tools are made widely available has changed too. As a matter of fact, being cognizant of the tools' existence is half the battle due to the sheer volume of tools available on the internet. Some of these tools are publicly available and can be bent toward forensic purposes. In this chapter, we will learn how to interact with websites and identify malware through Python, including an automated review of potentially malicious domains, IP addresses, or files.

We start out by taking a look at how to manipulate Internet Evidence Finder (IEF) results and perform additional processing outside of the context of the application. We also explore using services such as VirusShare, PassiveTotal, and VirusTotal to create HashSets of known malware, query suspicious domain resolutions, and identify known bad domains...